[VOIPSEC] VoIP vulnerabilities summarization

sukery sukerry at 126.com
Thu Dec 15 21:20:19 CST 2005 


Hi Brian,
	What a wonderful comment! thank you very much , I learned a lot .
   
>A more accurate description would be potential threat vectors.  The term 
>"vulnerability" should be used to define a very specific threat vector 
>so that an exploit can be constructed.  Specifically:
  but ,in fact we have constructed an exploit according to these threat vectors, we have realized and tested the attacks
>#1 - Your point seems to be that the underlying IP network is insecure 
>and because of that a vulnerability exists.  If we follow your logic 
>then all applications are insecure.  The reality is that in 
>communications between humans there is no such thing as a completely 
>secure transaction. Where is the potential exploit?
  I agree with you
>#2 - SIP implementations do have call setup requirements.  You did a 
>fine job of describing many of those requirements.  You stated that the 
>potential exists for abuse if many call were attempted.  You have 
>ignored the additional logic and dependencies that already exists in the 
>call setup process.  Different implementations may not commit the same 
>resources.  As such the DoS might not always work.  I think you were 
>close here.
 in point 2, I talked about http authentication, which is defined by rfc3261, and I think this single-directional authentication is a vulnerability of SIP protocol,and this vulnerability has no relationship with implementation.
>#3 - Again, you seem to be pointing a a DoS where the affects would vary 
>between implementation.  Not as close as your #2.
the transaction mechanism is defined by IETF, all implementation should follow this
standard. so what brings the dos attack is in fact the complexity of transaction mechanism but not the implementation. yes, the effects of DoS on diffent implementations are not the same, but the truth is that DoS is easy to bring down implementations for that they are all built on the same mechanism.  
>#4 - An unencrypted data stream does not qualify as a vulnerability.  If 
>you talk on the phone you can be overheard.  Doesn't that make all calls 
>insecure?
I agree with you, thanks.
>
>#5 -Any program has a code flow. Saying that a program has the potential 
>to be broken is not a vulnerability.
I think this is a vulnerability. when we talk about CVE, the V means vulnerabilities, and many CVE IDs is assigned as a result of some attack against implementations.
code flaw is not a vulnerability of protocol but of implementation.
>#6 - So any "attack" or really nuisance that exists on the PSTN can 
>impact VoIP users.  True.  Vulnerability?  No.

>Again, the thought that is expressed here is great.  I would suggest you 
>need to drill down on specifics before throwing around the word 
>"vulnerability".
thank you for your  advice!
>Liberty for All,
>
>Brian Ford
> 
>
>>Message: 4
>>Date: Tue, 13 Dec 2005 18:37:1 +0800
>>From: "sukery" <sukerry at 126.com>
>>Subject: [VOIPSEC] VoIP vulnerabilities summarization
>>To: Voipsec at voipsa.org <Voipsec at voipsa.org>
>>Message-ID:
>>	<mailman.18.1134475203.18425.voipsec_voipsa.org at voipsa.org>
>>Content-Type: text/plain;      charset="GB2312"
>>
>>
>>here is the summarization of voip vulnerabilities, and we are proud to say that we have realized an attack system to validate almost all the vulnerabilities, and I think point 2 and point 3 is  due to the imperfection of SIP protocol itself
>>
>>1.traditional IP network is insecure,its data stream is open to the public,VoIP, which is based on IP network certainly inherits this insecurity,this situation brings lots of attacks , such as Man in middle attak,call termination, sip password violent crack ,etc.
>>
>>2.SIP reuses  authentication mechanism from HTTP protocol ,in fact Http authentication is totally imperfect when applied to SIP protocol,for that it is a single-direction authentication, which means that only the server authenticates the endpoints,the endpoints do not authenticate the server,this situation makes it easy to deceive endpoints because they do not authenticate any entity in the network. Pseudo call (call someone with a false user id) ,server impersontation are dangerous attacks due to this vulnerability
>>
>>3. SIP communication is based on message transaction, however sip transaction mechanism is quite complicated.for example, when  a stateful proxy server receives a sip request message, it firstly computes the transaction ID for this message,if the transaction ID is not existed before, this request message is regarded as  a new message, the server will do a lot things for this new message:  save this message, create a finite statemachine for this message, construct a provisional response message and send it back, save this response message,update the finite statemachine, decide the next hop of this request message basing on the complex routing rules,transfer the request message, create one or more client transactions for the request message ...these steps surely consume lots of CPU and memory resources.  as a result,the server is susceptible to DoS Attacks when a hacker continually sends large quantities of SIP request messages with different Call-ID
>>
>>4.Un-encrypted media stream such as RTP data is easy to be wiretapped
>>
>>5.almost all VoIP software has some code flows, in this case,even a malicious packet may bring down the server, we call this packet exception packet, in fact we have found exception packets againtst both sip servers and h.323 servers 
>>
>>6.voip endpoints are much more intellectualized than traditional PSTN terminals,however,when this capability is abused,a lot of  malicious network attacks appear:
>>     disturbance call
>>	 call leaflet 
>>     voice broadcast
>>     and more??
>>
>
>-- 
>'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
>            Brian Ford - 60Mustang at optonline.net
>
>  Surf safe!  Have you checked your Firewall recently?
>
> thefordsgarage.net - Because all the good stuff is in the garage!
>"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list